[3.8] bpo-43920: Make load_verify_locations(cadata) error message consistent (GH...

author Christian Heimes <christian@python.org>

Fri, 23 Apr 2021 14:37:09 +0000 (16:37 +0200)

committer GitHub <noreply@github.com>

Fri, 23 Apr 2021 14:37:09 +0000 (16:37 +0200)
author Christian Heimes <christian@python.org>
Fri, 23 Apr 2021 14:37:09 +0000 (16:37 +0200)
committer GitHub <noreply@github.com>
Fri, 23 Apr 2021 14:37:09 +0000 (16:37 +0200)
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py

index 4ed1b3c999bdbfcd6d463c095856122a929f9bbf..1fa024191893e654a21b1a8f076415c35ec4f807 100644 (file)
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1475,12 +1475,17 @@ class ContextTests(unittest.TestCase):
          ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
          self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
  
-        with self.assertRaisesRegex(ssl.SSLError, "no start line"):
+        with self.assertRaisesRegex(
+            ssl.SSLError,
+            "no start line: cadata does not contain a certificate"
+        ):
              ctx.load_verify_locations(cadata="broken")
-        with self.assertRaisesRegex(ssl.SSLError, "not enough data"):
+        with self.assertRaisesRegex(
+            ssl.SSLError,
+            "not enough data: cadata does not contain a certificate"
+        ):
              ctx.load_verify_locations(cadata=b"broken")
  
-
      def test_load_dh_params(self):
          ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
          ctx.load_dh_params(DHFILE)
diff --git a/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst b/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst

new file mode 100644 (file)

index 0000000..28ff0fb
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
@@ -0,0 +1,2 @@
+OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations` now returns a
+consistent error message when cadata contains no valid certificate.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c

index d275f224b39a4f0dabc3cd2c300597fb219fac44..d6a2fb814adcd81e3ec59eb65f38f56eb958d1c8 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -4097,7 +4097,7 @@ _add_ca_certs(PySSLContext *self, void *data, Py_ssize_t len,
  {
      BIO *biobuf = NULL;
      X509_STORE *store;
-    int retval = 0, err, loaded = 0;
+    int retval = -1, err, loaded = 0;
  
      assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
  
@@ -4151,23 +4151,32 @@ _add_ca_certs(PySSLContext *self, void *data, Py_ssize_t len,
      }
  
      err = ERR_peek_last_error();
-    if ((filetype == SSL_FILETYPE_ASN1) &&
-            (loaded > 0) &&
-            (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
-            (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+    if (loaded == 0) {
+        const char *msg = NULL;
+        if (filetype == SSL_FILETYPE_PEM) {
+            msg = "no start line: cadata does not contain a certificate";
+        } else {
+            msg = "not enough data: cadata does not contain a certificate";
+        }
+        _setSSLError(msg, 0, __FILE__, __LINE__);
+        retval = -1;
+    } else if ((filetype == SSL_FILETYPE_ASN1) &&
+                    (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+                    (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
          /* EOF ASN1 file, not an error */
          ERR_clear_error();
          retval = 0;
      } else if ((filetype == SSL_FILETYPE_PEM) &&
-                   (loaded > 0) &&
                     (ERR_GET_LIB(err) == ERR_LIB_PEM) &&
                     (ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
          /* EOF PEM file, not an error */
          ERR_clear_error();
          retval = 0;
-    } else {
+    } else if (err != 0) {
          _setSSLError(NULL, 0, __FILE__, __LINE__);
          retval = -1;
+    } else {
+        retval = 0;
      }
  
      BIO_free(biobuf);
author	Christian Heimes <christian@python.org>
	Fri, 23 Apr 2021 14:37:09 +0000 (16:37 +0200)
committer	GitHub <noreply@github.com>
	Fri, 23 Apr 2021 14:37:09 +0000 (16:37 +0200)
Lib/test/test_ssl.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst	[new file with mode: 0644]	patch \| blob
Modules/_ssl.c		patch \| blob \| blame \| history